pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkgsrc for chroot jail builds



On Sun, Sep 22, 2024 at 12:03 AM Martin Husemann <martin%duskware.de@localhost> wrote:
On Sat, Sep 21, 2024 at 07:32:58AM -0700, George Georgalis wrote:
> It might be so simple there are no tools? Install binaries, chroot and run.
> This is straightforward, but could be wasteful of disk space if there are
> many jails.

I do that (without something I'd call "tool"). But why would you need
multiple "jails" with similar content? The only time I use multiple
destdirs on the same machine is when they differ by OS version (and I use
libkver to make it look like an older kernel to the chroot).

some context was missing from my inquiry...

to use some untrusted firefox tampermonkey _javascript_,
I created a desktop in vm and access with rdp and ssh

it's messy but reasonably safe, eg verses firefox profiles
on a trusted workstation, reasonably safe from exploits,
and/or user error (me)

discussion of evaluating unsafe or known malicious code
led to brainstorming methods to securely partition software
for other reasons too, such as vetting for use in secure env.

the idea of a tool is for consistent redeployments, in addition
to a standard for cataloging the partitioned components.
if sets of software components are combined to form a jail images
for hpc jobs there could be a lot of needless file duplication.
if 100s of these ro images are maintained on HPC SSD, that
could add up and make hardlinks reasonable.

there might not be a tool because every site requires different
integration, I was just wondering if anyone had experience to
share about optimizing partitioned ro software deployments
with hardlinks, or some other means.

Besides, wouldn't a low maintenance optimized system with 100s
of jail images for users to choose from when submitting hpc jobs
be kinda cool? Every hpc site I've seen has had the challenge of
users wanting better management of per job environments.
Maintenance, cataloging, distribution, and selection of these images,
per job, on hpc nodes, usually involves two of quick, good, and cheap.


--
George Georgalis, (415) 894-2710, http://www.galis.org/



Home | Main Index | Thread Index | Old Index